Short notes and essays about stuff that interests me (mostly technical stuff).

Sunday, April 26, 2009

Was I Confickered?

I spent most of last week trying to figure out if I had a virus infection on my primary machine. At the end of it all, I found myself still confused about exactly what had occurred. Here's what happened:

About a week ago, we started to get some indications that something was wrong in our internal network. Specifically:

Various automated jobs and test runs started to fail, with error messages indicating that accounts were locked out

Various machines running Symantec Anti Virus File System Auto Protect started popping up dialogs indicating that AutoProtect had detected and removed an instance of W32.Downadup.B.

After a bit of conferring and studying, we decided that it was clear that we had an instance of the Conficker virus inside our machine room. We studied the virus descriptions and mitigations and started to work eradicating it, which involved a multi-step approach:

Using tools such as the Conficker Eyechart, the Microsoft MSRT, and Symantec's scanner, we tried to determine which machines were actively infected. These machines we shut down and disconnected from the network.

For those machines, we then removed the virus, verified that all Windows Updates were applied, re-scanned the machines, and then restored them to the network.

We monitored network and security activity, looking for machines that we had missed.

One of the machines in the network was my own desktop, which displayed confusing, ambiguous, and contradictory symptoms:

The Symantec Auto-protect pop-ups on other machines claimed that they had received the virus from my machine. Multiple machines detected this, so it's hard to dismiss it as a single outlier.

On my machine, when we examined it in detail, the Automatic Updates and Background Intelligent Transfer Service services were disabled. This is one of the symptoms of the Conficker virus; it shuts these services down to try to prevent the infected host from running Windows Update.

However:

Multiple virus scans of the machine, by multiple virus scanners, failed to detect the virus, although the various virus scanners detected the virus on other machines successfully.

None of the special registry entries that the virus is supposed to create were present.

None of the mystery files in the system directory were present.

The in-memory DNS hooks that the virus uses to disable Windows Update (and which are checked by the eyechart) were not present, and the eyechart displayed without errors.

Our network scanners did not detect the suspicious network traffic that was present with other infected machines (e.g., the traffic which was trying to test for machine users with weak passwords).

So I'm left with a stumper: did my machine have the virus, or not? If it did, how was the virus removed (or is it still present and, if so, how is it evading the scanners and why is it showing no other symptoms)? If my machine did not have the virus, then why did the AutoProtect pop-ups on the other machines signal that my machine was the source of the infection, and why were the two system services disabled?

It's possible that I disabled the system services myself. Since I routinely use this machine for complicated long-running performance tests, I occasionally do things like disable background system services for a while to avoid interference with the tests, then forget to re-enable them. Though I don't rememer doing that in this case.

At this point, the virus infection appears to have subsided, which is good.

But it's frustrating that I ended up from the experience not understanding some basic things such as:

which machines were infected, and why? Many of the infected machines were unpatched, and were not running the AutoProtect scanner, so they were not well defended. But at least two machines which were infected should have been protected.

how did the virus originally enter the network? None of the infected machines appear to have been the source of the virus.

Was my machine infected? If so, how, and is it still infected?

Virus analysis is complex and confusing. I try to keep myself educated, by doing things like routinely reading SecurityFocus, and security-basics, and bugtraq, and dailydave, and the like, and I try to avoid the most dangerous practices. But I don't have the time nor the energy to devote every waking instant to being virus-free, so I accept a certain amount of risk (for example, for a variety of reasons, I do too much work on my machine while logged in to an administrator-privileged account, and there are other administrator-privileged accounts on my machine which have weak passwords).